Digging Deeper Into ANDROIDOS_CONTACTS.E’s Data Stealing Routines

My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then pedal these gathered data to potential attackers and spammers.

When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

Permissions

Functions

android.permission.READ_CONTACTS

Allows appl to read the user’s contacts data

android.permission.BATTERY_STATS

Allows app to collect battery statistics

android.permission.INTERNET

Allows app to open network sockets

android.permission.READ_PHONE_STATE

Allows read only access to phone state

android.permission.GET_ACCOUNTS

Allows access to the list of accounts in the Accounts Service

Unfortunately, allowing such permissions may give other parties access to specific details, which they may distribute to potential spammers.

Aside from “Solar Charge” requesting for access to device information such as contact information and account service, the app itself doesn’t work. Instead, the app only displays the message “Charging” and pretends to charge using solar light. While supposedly charging, another message appears stating that the app “is not available for your device”.

During this “charging state”, the app is actually attempting to steal contact details and Gmail accounts from the device and send these to a specific remote server.

In our analysis of the app’s code, we found some codes responsible for stealing personal information such as contacts and email address.

The screenshot above shows the contents of the communication between Solar Charge and the remote server. We can see that the app attempted to send telephone numbers to the address “myid=080{BLOCKED}”. After the parameter “frdata=”, we also notice that information gathered from the device’s contact details are URL encoded

Based on our decoding, we found that the app attempts to send details such as name, phone numbers and email address to a specific remote server.

Here are the list of servers where malicious apps detected ANDROIDOS_CONTACTS send to their different servers by HTTP communications.

The people behind this app may have used servers located on different countries to possibly to avoid identification. In addition, they can quickly replace a server if one is blocked.

Mobile Address Sold From .14 Yen – 1.5 Yen

The big question now is, why do these spammers keep stealing contacts using by malicious apps? We can cite two reasons for this: they can use these stolen accounts as part of their spam distribution list. Also, they can sell these stolen data to other groups, which prefer “fresh” accounts for their own businesses such as dating site etc. These accounts are sold in lots, with each lot having in tens of thousands of stolen account information. Prices for each stolen account are from .14 Yen to 1.5 Yen.

Trend Micro users need not worry as Trend Micro Mobile Security detects these apps as ANDROIDOS_CONTACTS.E. As a precaution, users should always scrutinize the permissions they give to the apps they install since this may lead to unwanted device information disclosure to certain parties. To know more about how to keep your mobile device data protected, you may refer to our Digital Life e-Guides below: